Method: Puppet::Util::Windows::Security#parse_dacl

Defined in:
lib/puppet/util/windows/security.rb

#parse_dacl(dacl_ptr) ⇒ Object 



412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
 
# File 'lib/puppet/util/windows/security.rb', line 412

def parse_dacl(dacl_ptr)
  # REMIND: need to handle NULL DACL
  if IsValidAcl(dacl_ptr) == FFI::WIN32_FALSE
    raise Puppet::Util::Windows::Error.new(_("Invalid DACL"))
  end

  dacl_struct = ACL.new(dacl_ptr)
  ace_count = dacl_struct[:AceCount]

  dacl = Puppet::Util::Windows::AccessControlList.new

  # deny all
  return dacl if ace_count == 0

  0.upto(ace_count - 1) do |i|
    FFI::MemoryPointer.new(:pointer, 1) do |ace_ptr|

      next if GetAce(dacl_ptr, i, ace_ptr) == FFI::WIN32_FALSE

      # ACE structures vary depending on the type. We are only concerned with
      # ACCESS_ALLOWED_ACE and ACCESS_DENIED_ACEs, which have the same layout
      ace = GENERIC_ACCESS_ACE.new(ace_ptr.get_pointer(0)) #deref LPVOID *

      ace_type = ace[:Header][:AceType]
      if ace_type != Puppet::Util::Windows::AccessControlEntry::ACCESS_ALLOWED_ACE_TYPE &&
        ace_type != Puppet::Util::Windows::AccessControlEntry::ACCESS_DENIED_ACE_TYPE
        Puppet.warning _("Unsupported access control entry type: 0x%{type}") % { type: ace_type.to_s(16) }
        next
      end

      # using pointer addition gives the FFI::Pointer a size, but that's OK here
      sid = Puppet::Util::Windows::SID.sid_ptr_to_string(ace.pointer + GENERIC_ACCESS_ACE.offset_of(:SidStart))
      mask = ace[:Mask]
      ace_flags = ace[:Header][:AceFlags]

      case ace_type
      when Puppet::Util::Windows::AccessControlEntry::ACCESS_ALLOWED_ACE_TYPE
        dacl.allow(sid, mask, ace_flags)
      when Puppet::Util::Windows::AccessControlEntry::ACCESS_DENIED_ACE_TYPE
        dacl.deny(sid, mask, ace_flags)
      end
    end
  end

  dacl
end